Skip to main content

The ACSC is aware of a security issue affecting 50 million Facebook user accounts whereby a flaw in the 'View As' feature allowed attackers to steal Facebook access tokens, which could be used to take over user's accounts. Access tokens are the equivalent of digital keys that allow users to remain logged into Facebook.

We recently reported a security issue affecting an estimated 50M Facebook user accounts, between July 2017 and September 2018.

Over the weekend, Facebook issued an update reporting that fewer people were impacted by the theft of access tokens than originally thought.

‘Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen,’ Facebook reported.

Facebook explained that the attack allowed cyber criminals to steal access tokens and take-over accounts by using the ‘View As’ feature, which allows people to view how their Facebook page appears to other Facebook users.

Facebook has not ruled out the possibility of smaller-scale attacks, which it is continuing to investigate. The social media giant reminded its customers to visit its Help Centre to check whether they have been affected.

Facebook will also contact affected users to explain what information may have been accessed and the steps users can take to protect themselves from suspicious emails, texts or phone calls.

The ACSC is continuing to investigate the issue with the Office of the Australian Information Commissioner.

Facebook reports that it is cooperating with the US Federal Bureau of Investigation, which is actively investigating the incident.

Visit the Facebook Help Centre